fix: tighten CSP, fix API key exposure, improve error handling

- Remove 'unsafe-inline' from script-src CSP directive
- Restrict connectSrc and imgSrc to known external domains
- Move Google API key from URL query parameter to X-Goog-Api-Key header
- Sanitize error logging in production (no stack traces)
- Log file link errors instead of silently swallowing them

https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8

server/src/routes/files.ts

@@ -275,7 +275,9 @@ router.post('/:id/link', authenticate, (req: Request, res: Response) => {
     db.prepare('INSERT OR IGNORE INTO file_links (file_id, reservation_id, assignment_id, place_id) VALUES (?, ?, ?, ?)').run(
       id, reservation_id || null, assignment_id || null, place_id || null
     );
-  } catch {}
+  } catch (err) {
+    console.error('[Files] Error creating file link:', err instanceof Error ? err.message : err);
+  }
 
   const links = db.prepare('SELECT * FROM file_links WHERE file_id = ?').all(id);
   res.json({ success: true, links });

server/src/routes/maps.ts

@@ -426,7 +426,8 @@ router.get('/place-photo/:placeId', authenticate, async (req: Request, res: Resp
     const attribution = photo.authorAttributions?.[0]?.displayName || null;
 
     const mediaRes = await fetch(
-      `https://places.googleapis.com/v1/${photoName}/media?maxHeightPx=600&key=${apiKey}&skipHttpRedirect=true`
+      `https://places.googleapis.com/v1/${photoName}/media?maxHeightPx=600&skipHttpRedirect=true`,
+      { headers: { 'X-Goog-Api-Key': apiKey } }
     );
     const mediaData = await mediaRes.json() as { photoUri?: string };
     const photoUrl = mediaData.photoUri;